Create And Enable SSL On Ubuntu LAMP Server

Introduction

SSL is used to encrypt data between the client e.g a user viewing a website to the web server which hosts the site. SSL uses certificates which are signed and verify the validity of a website. Like any vendor based system the certificate is as secure as the issuer. This means anyone can generate an SSL certificate but only “certified vendors” are considered safe.

Pre-requisites

This post assumes Apache 2 is installed on Ubuntu 10.04 (other versions may apply) with no issues. The default virtual host will be used as the example.

Ensure the CSR details are correct openssl req -noout -text -in www.dannytsang.com.csr If not go through the steps above again to re-generate the CSR

Submit the CSR to the vendor.

The vendor will verify details submitted before issuing the SSL certificate. Once that is complete continue to the next stage.

Depending on the level of the SSL certificate applied there is always at least 2 certificates that have to be included in Apache. One is the Vendor who signs the SSL and the SSL certificate itself.

Copy the vendor certificate to sudo mkdir /etc/apache2/ssl For example sudo vi /etc/apache2/ssl/CaCert.pemUpdate 13/02/2012: This may also be referred to as an “INTERMEDIATE CA” or Intermediate Certificate Authority” certificate

Copy the site / domain SSL certificate sudo vi /etc/apache2/ssl/www.dannytsang.com.crtUpdate 13/02/2012: This may also be referred to as the web server certificate

There are various ways to enable HTTPS on a website. The options described below are the ones discussed in this article:

Site Wide – The whole site uses HTTPS so that all the traffic is encrypted. This is the most secure method. Some limitations with this include any “resources” displayed on the site not from a HTTPS site will show a warning to the user. Website traffic will still be encrypted but not for non HTTPS parts e.g Ads

Login / Accounts only – From user log in and onwards will be encrypted. Other parts are not.

For Login / Accounts only part, WordPress will be used as the example.

For both options there should be 2 virtual hosts configured in Apache. One for non encrypted and the other for encrypted. If the desired effect is for the user to explicitly type https into the browser then only the secure virtual host is need. Otherwise a redirect will be created so that users entering http://www.dannytsang.com will automatically go to https://www.dannytsang.com. The following will assume the virtual host file have already been created and working. The virtual host file will be called dannytsang.

Make a copy of the virtual host which will be used for the SSL part of the site sudo cp /etc/apache2/sites-available/dannytsang /etc/apache2/sites-available/dannytsangssl

ServerName – Ensure this directive is set to the same as the SSL certificate e.g ServerName www.dannytsang.com

SSLEngine – Turn SSL on e.g SSLEngine On

SSLCACertificateFile – Path to the vendor or “Certificate Authority” signing certificate. This may be optional and not required if it was not mentioned by the issuer e.g SSLCACertificateFile /etc/apache2/ssl/CaCert.pem

Note that my example does not contain SSLCACertificateFile. For a self generated SSL the only SSLCertificateFile is needed.Update 27/05/2012: For a self signed certificated (a certificate no issued by a CA) then the only 2 lines that need to be added are:

Site Wide HTTPS

One of the pit falls of site wide encryption is that all content must reside on the https domain or from other https sources. Below is an example of what Google’s Chrome browser would show if content didn’t come from a secured resource. In my case it was Ads:

Edit the non secure virtual host file of the site sudo vi /etc/apache2/sites-available/dannytsang

The RewriteRule is the rule for when it would change the URL to https. In this case it looks for any of the following combinations after the domain wp-admin, wp-login, wp-register e.g www.dannytsang.com/wp-login.php. Multiple rules may be added to match all sorts of sub directories.

Save and exit the virtual host file.

Add the following line to the non secure site so that going from a login / admin page to the normal part of the site e.g logging out and going back to the front page will change it to non httpsvi /etc/apache2/sites-available/dannytsang
<Directory /var/www/dannytsang>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule !^wp-(admin|login|register)(.*) - [C]
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [L]
</IfModule>
</Directory>

Save and exit the virtual host file.

Enable mod_rewrite in Apache sudo a2enmod rewrite

Enable the new secure virtual host sudo a2ensite dannytsangssl

Restart Apache sudo service apache2 restart

Edit the WordPress config file (wp-config.php) and add the following line to the bottom of the file define('FORCE_SSL_ADMIN', true);

Debugging Tools & Methods

I found Google Chrome to be the best browser to troubleshoot SSL problems. Chrome is the most promient in showing HTTPS problems (see non secure sources screenshot above). The problem with Chrome was that it was more strict on showing the “padlock” HTTPS icon.
Go to the Console in Chrome (Ctrl+Shift+j > Console tab) lists insure content warnings.

Summary

Whilst going through this setup process myself it has been a long and arduous process (even if it doesn’t look it from this write up). I have learnt:

Check the Certificate Authority – Ensure it is from a reputable organization issuing / signing the SSL. SSL providers are not necessarily the company which signs them. Also cheap SSLs may be signed by an unknown / not recognised as a verified CA. This list of CA vary from browser to browser.

Non secure SSL – Even if a page or site is encrypted using the HTTPS protocol, the page is not deemed secure if any information on a page comes from a non secure site.

Check WordPress Plugins – Some plugins are not HTTPS aware for example lightbox2.

Clear Cookies & Cache – Sometimes browsers cache information and so even restarting the webserver may still result in an unsecure page / site. I found the best practice was to close the browser and start it up again. A quicker way to do it is to clear the cache and cookies associated with the site.

Share this:

Like this:

LikeLoading...

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog.
Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise.
Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school.
View all posts by Danny →
This entry was posted in Linux, Web Server, Website, WordPress and tagged apache, apache ssl, crt, CSR, HTTPS, ssl, ssl certificate, VirtualHost. Bookmark the permalink.